Comments on: Security Essentials on Windows Server http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/ Windows development and other random stuff Fri, 30 Mar 2012 18:49:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Michal Strehovsky http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/comment-page-1/#comment-153 Michal Strehovsky Thu, 12 Nov 2009 23:17:46 +0000 http://migeel.sk/?p=98#comment-153 Pete, if I remember correctly, there is a plugin for OllyDbg called Stealth64. Among other things, it fixes the incompatibility of OllyDbg with x64 versions of Windows. (Obviously, this will only work if the installer is 32bit. If it's 64bit, there is a debugger with similar UI to OllyDbg called fdbg, but not sure if that works.) If that doesn't work, Microsoft's Debugging Tools for Windows are a safe bet. Setting a breakpoint on GetVersionEx and editing the OSVERSIONINFOEX field should be even more easy with them. Pete,
if I remember correctly, there is a plugin for OllyDbg called Stealth64. Among other things, it fixes the incompatibility of OllyDbg with x64 versions of Windows. (Obviously, this will only work if the installer is 32bit. If it’s 64bit, there is a debugger with similar UI to OllyDbg called fdbg, but not sure if that works.)

If that doesn’t work, Microsoft’s Debugging Tools for Windows are a safe bet. Setting a breakpoint on GetVersionEx and editing the OSVERSIONINFOEX field should be even more easy with them.

]]> By: Pete Gomersall http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/comment-page-1/#comment-152 Pete Gomersall Thu, 12 Nov 2009 22:58:50 +0000 http://migeel.sk/?p=98#comment-152 Michael, Do you know of any method with x64 version as I get a problem OllyDbg? Pete Michael,
Do you know of any method with x64 version as I get a problem OllyDbg?
Pete

]]> By: Michal Strehovsky http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/comment-page-1/#comment-146 Michal Strehovsky Tue, 03 Nov 2009 22:28:41 +0000 http://migeel.sk/?p=98#comment-146 Yes, those are source-level constructs. But we only have a binary. If you know assembly language, you should be able to translate this to assembly. Instead of changing a structure field, you are changing a specific byte in memory. Look up OSVERSIONINFOEX on MSDN and find out where is the wProductType field stored (hint: it will be somewhere after the szCSDVersion field, which is a long Utf-16 string with the text "Service Pack 2" or something similar). Then change the value of the byte from 0x03 to 0x01. Yes, those are source-level constructs. But we only have a binary. If you know assembly language, you should be able to translate this to assembly. Instead of changing a structure field, you are changing a specific byte in memory.

Look up OSVERSIONINFOEX on MSDN and find out where is the wProductType field stored (hint: it will be somewhere after the szCSDVersion field, which is a long Utf-16 string with the text “Service Pack 2″ or something similar). Then change the value of the byte from 0×03 to 0×01.

]]> By: CJ http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/comment-page-1/#comment-145 CJ Tue, 03 Nov 2009 22:18:29 +0000 http://migeel.sk/?p=98#comment-145 Ok I understand. But at least, could explain "wProductType field in the returned OSVERSIONINFOEX: from VER_NT_SERVER (3) to VER_NT_WORKSTATION (1)"? These commands are not in "C"? The OllyDbg does not show the file in assembly? PS.: My version of OllyDbg is 1.10. Ok I understand. But at least, could explain “wProductType field in the returned OSVERSIONINFOEX: from VER_NT_SERVER (3) to VER_NT_WORKSTATION (1)”? These commands are not in “C”? The OllyDbg does not show the file in assembly?
PS.: My version of OllyDbg is 1.10.

]]> By: Michal Strehovsky http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/comment-page-1/#comment-144 Michal Strehovsky Tue, 03 Nov 2009 21:33:52 +0000 http://migeel.sk/?p=98#comment-144 I discussed this with someone else by e-mail and this approach only worked with OllyDbg 1.10 for him. I used the old OllyDbg too. The new version probably misses one of the calls (well, it's still a beta). Never had a chance to look at what really happens there. I won't write a step-by-step tutorial anytime soon, sorry. If you can't follow the steps above, you won't be able to resolve problems that might show up later (remember, Security Essentials on Windows Server is an unsupported and untested configuration). It's for your own good. I discussed this with someone else by e-mail and this approach only worked with OllyDbg 1.10 for him. I used the old OllyDbg too. The new version probably misses one of the calls (well, it’s still a beta). Never had a chance to look at what really happens there.

I won’t write a step-by-step tutorial anytime soon, sorry. If you can’t follow the steps above, you won’t be able to resolve problems that might show up later (remember, Security Essentials on Windows Server is an unsupported and untested configuration). It’s for your own good.

]]> By: CJ http://migeel.sk/blog/2009/10/17/security-essentials-on-windows-server/comment-page-1/#comment-143 CJ Tue, 03 Nov 2009 21:19:43 +0000 http://migeel.sk/?p=98#comment-143 I try hard, believe me. But I could not. Would like to make a step by step? Sorry my bad English. I try hard, believe me. But I could not. Would like to make a step by step? Sorry my bad English.

]]>